Share this article on:
The HIPAA Breach Notification Rule explains how HIPAA covered entities and their business associates’ data breach response should include issuing notifications to patients, plan members and the HHS’ Office for Civil Rights. Healthcare organizations must also comply with state data breach notification laws, which in some U.S. states, requires notifications to be issued more rapidly. Those laws cover different types of information, have additional notification requirements, and in some states, require credit monitoring and identity theft protection services to be offered to breach victims.
Currently, there are 48 separate state data breach notification laws. For a small health system operating in one or two states, keeping up to date with relevant state data breach notification laws is straightforward. For large health systems and health plans that operate in multiple states, keeping up to date with changes to state laws, and ensuring compliance with those laws, can be a challenge.
Bill Proposes Standardization of State Data Breach Notification Laws
Congressman Jim Langevin (D-RI) has recently re-proposed a bill (H.R. 3806) – The Personal Data Breach Notification Act – that will standardize data breach protection laws and will ensure all consumers are notified of breaches promptly, regardless of where they live.
Rather than have separate state data breach notification laws, the Personal Data Breach Notification Act will introduce a national data breach notification standard that must be followed by all states. The Personal Data Breach Notification Act would apply to all organizations or entities that collect the data of more than 10,000 individuals over a 12-month period and the provisions of the Personal Data Breach Notification Act will supersede any provision of the law of any State.
Not only will the bill make it easier for businesses to understand what they are required to do following a data breach, Langevin explains it will “strengthen companies’ obligations to report intrusions that compromise consumers’ personal information.”
30 Day Time Limit for Issuing Breach Notifications
Currently, state data breach notification laws require notifications to be issued to consumers as soon as possible following the discovery of a breach, although the maximum timescale for issuing those notifications differs from state to state, and the speed of notification also depends on which entity experienced the breach.
The Personal Data Breach Notification Act will standardize notifications and will ensure consumers are informed of a breach of their personal information faster. The proposed maximum time limit to issue notifications is 30 days from the discovery of the breach, although the bill states there should be no unreasonable delay in issuing notifications.
Additional time may be granted to breached entities in certain circumstances, although a request for an extension would have to be made to the Federal Trade Commission, which would be responsible for enforcing the Personal Data Breach Notification Act.
As with HIPAA breach notifications, a request could be made by law enforcement to delay the issuing of notifications so as not to impede with an investigation. In such cases, the Director of the United States Secret Service or the Director of the Federal Bureau of Investigation would be permitted to authorize a delay of up to 30 days – meaning a maximum time frame of 60 days from the discovery of a breach.
Data Elements Covered by the Personal Data Breach Notification Act
The definition of a breach is defined as “a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in: i) the unauthorized acquisition of sensitive personally identifiable information; or (ii) access to sensitive personally identifiable information that is for an unauthorized purpose, or in excess of authorization.”
The exposure of the following information would require breach notifications to be issued.
Currently, state data breach laws require the breached entity to issue a notification to state attorneys general of any breach of personal information. If the Personal Data Breach Notification Act is passed, a government agency would be required to be designated to receive the breach notification reports.
Notifications could be made by mail, telephone, or email, with the latter only permissible if individuals consent to receiving electronic notifications.
As with HIPAA, a media notice must also be issued, although rather than the threshold being 500 individuals, the Personal Data Breach Notification Act would only require a media notice to be issued if the breach impacts 5,000 or more individuals.
The failure to comply with the Personal Data Breach Notification Act could result in financial penalties. The FTC would be able to issue financial penalties with the penalty structure the same as for Federal Trade Commission Act violations. State attorneys general would also be permitted to enforce compliance and take action against entities that breach the Personal Data Breach Notification Act.